Alerts FAQ

How can I integrate Alerts with different tools, including ITSM systems such as ServiceNow?

Use Webhooks to integrate Nexthink with other Software as a Service (SaaS) applications. Refer to the Webhooks documentation for more information.

I need to review the integration for security purposes. What security measures are in place for Nexthink integrations via Webhooks?

As of today, webhooks support authentication using:

  • OAuth2 – Client Credentials

  • OAuth2 – Authorization Code

  • Basic

  • Bearer Token

  • No Auth (None)

We rely on the third-party services receiving notifications to accept one of these security methods.

How do I send notifications about alerts triggered for specific applications only to the respective application team?

Use Webhooks to distribute notifications to different destinations based on the alert content such as payload, priority, tags or monitor name.

For example, to configure notifications displayed in specific MS Teams channels whenever an alert is triggered for the Salesforce application, follow these steps:

  1. Create a webhook outbound connector to the MS Teams channel. Refer to the Webhook documentation for more details.

  2. Select monitors that should send notifications to the respective MS Teams channel upon alert triggering. Nexthink recommends using monitor Tags to identify more than one monitor. In this example, use the web-applications tag for all monitors that trigger application alerts.

  3. Ensure each alert contains the application name in the alert payload, in this case, Salesforce.

  4. Write a webhook NQL query that selects only those alerts that should send notifications to the given channel. See the example below.

    alert.alerts
    | where monitor.tags contains "web-applications"
    | where alert.context contains "*Salesforce*"
    | list alert.monitor.name, alert.status, monitor.tags, alert.context, 
           trigger_time, recovery_time, alert.monitor.thresholds, 
           monitor.priority, alert.trigger_values, 
           alert.trigger_reference_value, alert.recovery_values
  5. Create a webhook payload that the system will send as a notification message. Use dynamic variables to send information about the details of the triggered alert.

Can I send a notification about the closed alert to ServiceNow to update the ticket?

Yes. The alerting system sends two messages to webhooks for each alert: one message when the alert is triggered and another message when the alert is closed. Send alert.status in the notification payload to the ITSM system to react to both messages. The alert UID is the unique key of the alert, which is the same for both messages. When querying alert events using NQL, you will only retrieve one alert event per unique ID. When the alert is closed, that event is updated with the new status.

Can I send additional device fields, such as the last logged user or Entity, with an alert sent to ServiceNow via webhook?

Yes. Create a monitor that detects issues impacting a single device and contains the device in the payload to send notifications and open ITSM tickets for a single device. Do not include additional device properties in the alert payload. Instead, use these device properties in the notification message when creating a webhook. Example webhook query:

alert.alerts
| where monitor.tags contains "device"
| list alert.monitor.name, alert.status, alert.uid, 
       trigger_time, recovery_time, device.Entity, 
       device.hardware.type, device.login.last_login_user_name

How do I prevent alerts from being triggered by metric spikes when only a few users are affected?

A recommended way to ensure alerts are not triggered when very few devices are active, for example, during weekends, is to use multiple thresholds. Create a monitor and define your main evaluated metric. Additionally, compute more metrics, such as the number of active users and devices with issues, and use them as additional thresholds.

Last updated